Articles about cybersecurity and data privacy written by me, Stephen Cobb, CISSP. (This site can also be reached as zcobb.com and scobb.net.) Follow me on Twitter @zcobb for more frequent security news. (All views expressed here are mine and not those of my employer.)

Monday, April 13, 2009

When they say "anyone can get a Twitter account" they mean anyone and anything can get a Twitter account, including malicious 'bots and worms.

I'm all for equality, open access, and ease of access, but I'm not keen to share my social-network-of-choice with machines and anonymous jerks. History tells us that sort of thing eventually leads to spam and worms, both of which threaten to hobble Twitter as they hobbled email. And a lot of the problems now looming with Twitter are preventable, or at least containable, if the folks at Twitter act now, before things get out of hand.

(As for the hobbling of email, make no mistake, email could be very much better than it is right now if it were less prone to abuse. Securing email, which could be done if the large providers would drop their petty greed-based differences, would make it way more useful and productive than the pale shadow it is today--in other words, spammers and worm-writers cost the world billions in lost productivity, on top of the ongoing cost of blocking with their irresponsible crap).

The first step in prevention and protection for Twitter is to require email confirmation for Twitter signup. That would make it harder to do things like this. Right now the Twitter signup process is irresponsibly open, as in "open to abuse" and we are seeing the first Twitter worms right now. Consider what happened recently when I had the pleasure of participating in an elaborate April Fool's caper.

To increase the credibility of our hoax I created a Twitter account in the name of the fake product we launched. I was shocked at how easy this was. Although the Twitter signup process asks for an email address it does not check to make sure the address is real. There is no "confirmation email" such as most forums, bulletin boards, and social networks require. And although Twitter signup uses a captcha, we know captchas can be beaten by any entity who is motivated enough to create fake accounts. (The "fake"account that I created used a valid email address but tests show this is not required--Twitter does try to validate your email address after signup and lets you know if they have a problem with it, but they don't kick you off the system.)

The point is, and I say this with love--because I love to Twitter--the folks at Twitter could do more to prevent abuse. Right now they have a chance to save Twitter from worms and I'm hoping they will learn from the mistakes made by email providers and act now rather than later, when it will be that much harder. I predict email verification will eventually come to Twitter, so why not do it now? The email industry missed several golden opportunities to keep the bad guys and bullies out. Twitter can do better, and I hope it will. I would happily give up the ability to make fake Twitter accounts for April Fool's Day.

Thursday, April 09, 2009

Surely April 8 will be flagged as a new low in the history of American journalism. Why? The "power grid may be hacked" story, and I use the word "story" very intentionally. Everything I heard and saw about this yesterday--from CNN to NBC--was, to put it politely: trash. About the only thing I've seen written about this that made sense was former hacker Kevin Poulsen blogging at Wired:

"The unspoken lesson here is obvious: Chinese Superhackers Are Our Superiors. No, wait. That's not it. I know...Only the intelligence agencies are equipped to protect us from foreign cyber attacks."

My own theory was that the large power companies, fearful of localized, alternative power generation, were trying to scare people away from "smart grids." This theory is based on the fact that a lot of the "reporting" suggested smart grids would make our power supply more vulnerable. Yeah, like that's why they're called smart. Does nobody out there in mainstream media remember why the Internet was designed like it is?

I recall, nine, maybe ten years ago, when someone on our penetration testing team said "Can I let some water out of the dam, please, that would be so cool?" Because Yes, we had reached the power company's hydro-electric control panel. We said No to that particular demonstration of how far we had penetrated. After all, it was the power company that had hired us to test their security. And the power company fixed the holes we found. AFAIK they've regularly checked for, and fixed, new ones ever since. The grid is not impenetrable, but this whole legend that "Russian and Chinese hackers are all up in our systems and can pull killer moves at the click of a mouse" just seems like scare-mongering. And people normally carry out scare-mongering for a reason.

Did anyone hear any journalist ask "Why?" As in why would people, foreign or domestic, want to mess with the grid? After all, anyone with a backhoe could drive into the field near my house today and cut the prominently labeled Verizon fiber optic trunk that runs through here (here being a place where lots of people own backhoes). But for years people have somehow avoided the temptation to do this (even deranged broadband addicts bummed out on dialup and convinced by voices in their fillings that cutting the cable was a cheap way to get FIOS, the fastest Internet and best TV picture ever).

Sure, there are some gifted hackers in Russia and China, but there is zero doubt in my mind that America could bring both of those countries to their knees in a matter of minutes if any kind of cyber-war were to break out.

So, as far as I can tell no mainstream journalists bothered to ask Why? Or bothered to think about where this story came from and how come it appeared at this time. The grid was no more or less susceptible on April 8, 2009 than it was on April 7, 2009. And I don't know whether to pity or impugn the talking heads they trotted out to comment on this "story."

Please let me know if you heard anyone in the media, besides Mr. Poulsen, raising the possibility that this story was part of the push by NSA to take over cyber-security from DHS (that's NSA as in "Not Safe Agency" that worked with companies like AT&T to suck the Internet into massive servers so they can read our email and blog posts).

And if you have heard anything to suggest that the Obama administration is about to kick some serious cyber-butt and bring sanity to our secret agencies and critical infrastructure protection programs, I'd really appreciate hearing about it, because frankly I'm getting pretty depressed here.

Featured Post

About Me

25 years focusing on cybersecurity and data privacy. Trying to help people enjoy technology and its benefits by working to mitigate the impact of criminals and other ‘bad actors’ in cyberspace. Trying to close the cybersecurity skills gap by encouraging women and minorities to enter the profession. Certified Information System Security Professional (CISSP) since 1996. I am fortunate to be paid to do security research by ESET, one of the world's largest security software companies. (These blog posts are mine and the views expressed in them are mine - although my employer has some pretty cool views too.)
What else? Wrote a bunch of books, started several successful companies. Produced a commercially unsuccessful but award-winning documentary about civil rights. Also strive to create greater awareness of hemochromatosis, the most common genetic killer in the Western world (that nearly killed my partner). Oh, and I'm working on a Master's degree in Security and Risk Management in the Criminology Department of the University of Leicester, England.